RIM Security VP Worried About Smartphone DDOS Attacks – Why?

I am usually called the paranoid security guy with the tinfoil hat. When I was reading a recent quote by Scott Totzke, RIM’s VP of BlackBerry Security, even I was kind of taken back. He claims that one day hackers could use BlackBerrys/Smartphones to attack wireless networks. This is kind of interesting since it is plausible but very unlikely and against RIM’s whole concept of the BlackBerry being impervious to malware and viruses due to their containment principles.

Totzke claims that hackers would be able to commandeer thousands of smartphones to create a DDOS (Dynamic Denial of Service) against a carrier. The funny part is that this already happens whenever you go to a convention and try to make a phone call while thousands of other people are making calls… Or better yet anybody try to get data service while you were at DevCon?

Even the recent “Malware” applications for BlackBerry require the user to be stupid enough to download the malware program to their BlackBerry in the first place. Even RIM is proud to say that you do not need Antivirus software on a BlackBerry and uses this exact “Containment” principle to justify why it is unnecessary.

Now getting back to Totzke’s claim that hackers would use smartphones to perform a DDOS attack this concept does not really work. Cellphone carriers could easily deactivate the connection of any device that has been compromised since they own the devices. It would be like saying that Verizon had to worry about their DSL users performing a DDOS attack on themselves… They could just cut the line.

What RIM should really be worried about is hackers finding a way to get to your personal information or read data on your device. This is a valid threat that RIM really has no way to address. Anybody with $20 and a name can get a RIM code signing key and write their own application that accesses this private information and API’s. RIM would be in a sticky situation trying to fix such an issue because they have caved to the all powerful carrier which makes every OS update take 6 months to get to market. What if RIM had a zero day vulnerability in OS 5.0? How would they fix it? I have always been curious if RIM has a mechanism to push out updates to all devices on BIS just like they do for BES. Or even a remote switch where they could disable applications remotely… The irony is that the Reuters reporter recommends installing a RIM patch to keep your device secure but how do you do that if your carrier does not release a updated OS?

I don’t think we will honestly have to worry about someone breaking into the BlackBerry OS anytime soon. In all the time we’ve had leaks I don’t think we have ever found an OS with a vulnerability. I would guess that they literally destroy / trash all builds ASAP that show any signs of insecurities.

The Java platform may be buggy / slow at times but RIM has made it damn secure.

This is the problem. There are a lot of free application sites popping up, and you really can’t be sure what you’re getting. Even on the mobihand network I may be mistaken, but I don’t think theres any sort of review process do ensure that harmful software is being kept out.

As you said Ronen, anyone with $20 can get access to the secure API’s and find out all the information about every contact on your phone, as well as all the email conversations you’ve had, what apps you have etc. etc.

Information is money, this is what they want, and it’s not hard to get it if someone installs the program (And as this article says, you may think you’re installing something else).

AND, WHY is RIM seemingly powerless to force carriers to deploy an updated OS for the browser vulnerability that has been public for MANY WEEKS now? Very few carriers have released patched OS’s to date. MILLIONS of BlackBerry smartphones worldwide remain vulnerable and RIM fiddles like Nero. Luckily, nobody (that we know of anyway) has yet figured out way to really exploit it or Rome would truly be burning.

1) RIM fosters an irresponsible culture whereby people fetch shady “leaked” updates at RapidShare because there is no centralized, official distribution. RIM will be to blame when someone posts up a malicious OS somewhere and users download it without giving it a second thought because we have developed the habit of using those. This practice has led lots of Blackberry users to trust something that they shouldn’t.

2) Likewise, some applications refuse to work until you grant them access to everything or even *specifically* e-mail, PIM and personal data. Even if personal data is completely irrelevant to the purpose of the app. And nobody raises a stink about such apps. People just grant the permission because, heck, they can hardly wait to play with the toy. They just surrender the data.

These combined create the perfect ground for a “social engineering” con artist. Screw the security around the Blackberry platform from the purely technical standpoint. Just target these human vulnerabilities that both RIM and app developers have been fostering, and go to town!

1. Even WORSE are the hybrids…!
2. Did you see the QuickPull in order to work on OS5 wants you to change ALL default security policies to ALLOW!?! And amazingly people just blindly go off and do it! Madness. And RIM tacitly approves of such activity by failing to revoke signing keys. For all its security there is still no centralized control point by RIM that could remotely revoke an app’s ability to run or interact. BUT, would users tolerate that? Look at all the broohaha surrounding iTunes and their walled garden. RIM had the ultimate walled garden and benevolently complete control of the experience but has totally ceeded it in the name of consumer market share.

Regarding number 2, I complained about this in another article when I won a free copy of Shape Service’s IM plus. The software will install, but fail to run unless you grant ALLOW for everything. I actually never even got it working, as that just screams unnecessary to me. Not that I have anything to hide, but I see no reason an IM app would need access to certain things…like input simulation. Anyway, I gave my free copy away for that very reason.

I use SMobile Security Shield on my BlackBerry. While I’ve never had a virus, and I wouldn’t download something unless it’s from a trusted source, social engineering is a consideration. You never know…we need to be aware and realistic. After all, look at how many worms and all have been created for the iPhone in just a few months, and how many vulnerabilities they’ve found with the Droid. One can never be too safe.